After first Anon hack, PR firm failed to update other .gov websites

Even after one of the FTC sites run by Fleishman-Hilliard was hacked in …

The hacking of the websites of the Federal Trade Commission's Bureau of Consumer Protection on February 17 was the second attack on the agency's Web presence in less than a month. Both of the attacked servers were set up for the FTC by the public relations firm Fleishman-Hilliard under a $1.5 million communications support contract held by the company awarded last August, and ran on servers the firm provisioned from Web hosting and cloud services provider Media Temple. But even after the server for the FTC's OnGuardOnline.gov site (ironically, a site intended to share tips from the government on computer security and privacy for consumers) was hacked on January 24 using an exploit of security weaknesses in the applications running on it, Fleishman declined to update the software running its other sites, an executive of Media Temple told Ars.

Media Temple chief marketing officer Kim Brubeck told Ars, "we have actually asked Fleishman-Hilliard to remove any [remaining] .gov sites" from Media Temple's servers. In an email to Fleishman-Hilliard on February 18, Brubeck requested that the company complete the transfer of its remaining government websites to other hosting providers within 48 hours.

Referring to the government's security regulations, Brubeck explained, "We aren't a FISMA-certified hosting service," and added that Media Temple was unaware that Fleishman-Hilliard had intended to use the servers for government accounts. Under the terms of the provisioning service that the servers were provided under, Fleishman-Hilliard was responsible for the administration and security of the servers, including operating system updates, software installations and backups, and had set up the servers—but "had chosen not to update their applications," Brubeck said.

Update: a Fleishman-Hilliard spokesperson contacted Ars on February 19, and said the company could not comment on the attack due to a strict non-disclosure agreement with the FTC, and referred further questions to the agency .

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.